This is a point to be raised in the security considerations section of the
document. It is quite reasonable to document both methods of using RSA,
then warn people that a different key pair should be used with each one.
At 01:03 AM 5/25/2002 +0200, Bodo Moeller wrote:
Housley, Russ <rhousley(_at_)rsasecurity(_dot_)com>:
>>> Here is the next draft of the proposed working group charter. The
>>> biggest change from the previous posting is that both OAEP and KEM
>>> standards track documents.
>> Are the differences between the attacks and mitigations presented by OAEP
>> and KEM really worth the high liklihood of lack of interoperability?
> RSA using PKCS#1_v1.5, OAEP, and KEM all employ the same certificate, so
> this choice does not require any adjustments in the PKI.
This makes it is pretty pointless to use "provably secure"
cryptography, though -- all security guarantees that OAEP, say, may
promise are voided if you use the same key for decrypting messages
using some other style of RSA.